Re: [stunnel-users] auto-disconnecting people when CRL updated

David van Zijl wrote:

Is it possible to get stunnel to disconnect people on a graceful restart when a certificate has expired?

Breaking invalid sessions is more complex than people might think. Validating sessions would also involve performing OCSP request, checking whether the local certificate was revoked by remote site, etc.

I think the only reasonable way to implement it would be to execute SSL_renegotiate() for each SSL structure, so it renegotiates encryption on next data transfer. stunnel does not even keep a list of all SSL structures, now. Would you like to sponsor this feature?

Mike